ChatGPT and other commercial large language models (Claude, Gemini, Copilot) have become everyday tools across marketing, engineering, support and finance teams. What started as a personal experiment in 2023 is now an embedded productivity layer in the workforce, often without the security team knowing what data flows out, to which vendor, and under which retention policy. For a CISO in 2026, ChatGPT is not just another SaaS app: it is an outbound data channel that touches intellectual property, personal data and trade secrets within seconds.
This article covers the seven primary risks to mitigate, the technical controls that actually work, an enforceable acceptable use policy, and a 90 day AI governance plan that avoids the two usual extremes (full ban or open season).
The essentials
- The number one ChatGPT risk in business is not an external attack, it is outbound data leakage from the employee themselves.
- Shadow AI (unsanctioned use of personal LLM accounts) affects most organizations above 500 employees according to Gartner and Cisco surveys from 2025.
- OpenAI Team and Enterprise plans offer zero retention by default, training opt-out, SSO and DPA. Free and Plus do not.
- GDPR, the EU AI Act and NIS2 already apply: lack of a documented AI policy is treated as a control gap in audits.
- Blocking ChatGPT at the firewall solves nothing if employees use it from a personal phone. The answer is governance, not prohibition.
Why ChatGPT Matters to the CISO in 2026
Three dynamics explain why commercial LLM security has moved to the top tier of corporate risk.
First, adoption is massive and organic. OpenAI surveys released in 2025 put weekly active users in the hundreds of millions, with corporate penetration no longer measured in pilots but in daily use across departments. Employees do not ask permission: they discover the product, try it on a small task, and spread it to everything.
Second, shadow AI has overrun the traditional perimeter. An employee may have chat.openai.com blocked on the corporate network and open the same chat on their personal phone with the sensitive content in front of them. Outbound control is no longer won at the DNS layer, it is won through policy, training and behavioral monitoring.
Third, the regulatory framework has closed in. The EU AI Act entered phased application in 2025-2026, NIS2 Article 21 demands security controls across the digital supply chain (LLMs sit inside that), and GDPR holds firm on any processing of personal data by a processor, whether OpenAI, Microsoft or Google. A company without a documented AI use policy enters an audit with a visible gap.
The result is that, in 2026, there is no room to treat ChatGPT as an optional tool outside the security program. It is in scope.
The 7 Main ChatGPT Risks in Business
1. Outbound Data Leakage
The most frequent risk and the one with the highest average impact. An employee pastes into the chat a fragment of proprietary source code, an unredacted contract, a client list, or a pre release financial report to have ChatGPT summarize, refactor or translate it. In free and Plus plans, that content may be used to train future model versions under default terms. Even if not used for training, it remains logged on the provider side.
The 2023 Samsung case is the publicly cited reference: three employees exposed semiconductor code and internal notes by pasting them into ChatGPT, which led Samsung to temporarily ban generative AI across its teams. The pattern has repeated across many organizations that did not disclose it.
2. Inbound Prompt Injection
When ChatGPT connects to external content (web browsing, plugins, uploaded documents, API integrations in agents), it becomes vulnerable to prompt injection: malicious instructions hidden inside a page, a PDF or an email that the model interprets as legitimate orders. The attacker can ask the assistant to exfiltrate the conversation history, invoke a tool with malicious parameters, or return a deceptive answer to the user.
This risk grows as ChatGPT gains agentic capabilities (Operator, tool using agents, calendar and email integrations). For the underlying mechanics, see our guide on prompt injection in LLM attacks.
3. Hallucinations in Critical Decisions
LLMs produce plausible outputs that can be factually wrong. In customer support drafting, marketing copy or brainstorming, the cost of a hallucination is low. In a legal opinion, a medical assessment, a financial analysis or a security diagnosis, the cost can be structural.
The issue is not that hallucinations exist, it is assuming the team understands the boundaries. Without targeted training, employees over trust answers that sound competent.
4. Intellectual Property Infringement
Two angles. One, content the employee generates with ChatGPT may incorporate fragments protected by third party rights without their knowledge. There are open lawsuits in the United States and Europe against several LLM providers over the use of protected works in training.
Two, content the employee feeds into the model on a plan without training opt-out may end up residually reflected in responses to third parties. Hard to prove in a specific case, but the possibility exists and Enterprise plans remove it contractually.
5. Vendor Lock-in and Operational Dependency
Whole departments build critical workflows on top of ChatGPT (customer support, proposal generation, ticket analysis) without a corporate contract. If OpenAI experiences downtime, raises prices, or deprecates a model, the business is hit and there is no contractual SLA to lean on because the subscription is on the employee personally.
6. Shadow AI
The umbrella problem. Any uninventoried use of generative AI inside the organization: personal ChatGPT on a phone, Claude in the laptop browser, Copilot bundled into an Office subscription that no one configured, agents installed in a GitHub repository. Shadow AI is the natural outcome of forbidding without offering a sanctioned alternative.
7. Lack of Auditability and Traceability
If a client, a regulator or an internal committee asks what content was processed with which LLM, in which account and under which retention, the answer in a company without AI governance is: we do not know. That lack of traceability is incompatible with ISO 27001, with NIS2 and with the transparency requirements of the AI Act for high risk systems.
Documented Real Cases 2025-2026
The 2023 Samsung incident remains the most cited public case of data leakage through uncontrolled ChatGPT use in business. It triggered an immediate internal ban and sparked corporate conversation around AI policies.
OpenAI reported during 2023-2024 an exposure incident affecting conversation titles and billing data for a subset of users, traced back to a bug in a client library (Redis), and a later incident reported by media outlets concerning unauthorized access to internal company forums. These are reminders that the provider is also a target and that the information sent lives on their infrastructure.
In 2024-2025, several campaigns of exfiltration through plugins and third party connectors were documented across LLM ecosystems, where the combination of prompt injection on a web page and excessive plugin permissions allowed attackers to pull user content. Anthropic, OpenAI and Microsoft have since tightened permission models, but the risk does not disappear, it only changes shape.
Practical takeaway: do not wait for the headline with your company name on it. The pattern is well documented.
Mapping to Regulatory Frameworks
GDPR applies the moment an employee sends personal data to ChatGPT. OpenAI acts as a processor, and the company remains the controller. Without a signed DPA (included in Enterprise plans), sending identifiable personal data to a public LLM is hard to defend before a supervisory authority. Spain's AEPD and other European authorities opened proceedings on this in 2023 and 2024.
The EU AI Act classifies AI systems by risk. Internal use of ChatGPT for general assistance is not high risk. But if the organization embeds LLMs into hiring decisions, employee evaluation, credit scoring or critical infrastructure management, the use case enters the high risk category and triggers documentation, human oversight and audit logging requirements.
NIS2 Article 21 requires risk management measures across the digital supply chain, training, acceptable use policies and incident procedures. A serious AI governance program fits directly into those requirements. If your organization is already auditing NIS2, the AI block should be added to scope. Our NIS2 audit step by step guide breaks down how to structure the exercise.
ISO 27001 control A.5.23 (use of cloud services) covers commercial LLM subscriptions directly: selection, onboarding, monitoring and offboarding. For a refresher on the standard, see our ISO 27001 and NIS2 complementarity write up.
Technical Controls That Work
ChatGPT defense in business is built in layers. None of them alone is enough.
Modern outbound DLP. Platforms such as Netskope, Zscaler, Microsoft Purview, Palo Alto Prisma Access and Cisco Cloud Web Security inspect traffic to generative AI domains, detect sensitive data patterns (PII, source code, card numbers, health data, API keys) and apply policy: block, redact the sensitive content before submission, or warn the user while logging the event.
Egress proxy and generative AI category. Corporate web proxies since 2024 have specific categories for public LLMs. They allow distinguishing traffic to ChatGPT, Claude, Gemini, Perplexity and applying rules per user, group, device and data classification.
SSO and IdP broker. Forcing access to ChatGPT Enterprise or Team via the corporate IdP (Entra ID, Okta, Google Workspace) eliminates personal accounts in the work context, enables MFA and allows revocation upon offboarding.
Browser extensions for blocking and warning. There are centrally managed extensions that detect when a user pastes text into an LLM and apply prior policy: warning, automatic redaction or blocking if the content carries sensitive patterns. Useful as a second net for users outside the corporate proxy.
Monitoring of OpenAI infrastructure traffic. The SOC needs visibility on network destinations associated with commercial LLMs (not only ChatGPT, also API endpoints). Traffic to api.openai.com from unauthorized servers may indicate an uninventoried integration or active exfiltration.
Corporate sandboxes and private deployments. For sensitive use cases, models can run on Azure OpenAI (OpenAI models inside the Azure tenant), AWS Bedrock (Anthropic, Meta, Cohere, Mistral, Amazon) or Google Vertex AI (Gemini, Anthropic). Data does not leave the cloud the organization already contracts.
For broader controls tied to data exfiltration, see our guide on what is DLP.
Recommended Acceptable Use Policy
A workable AI policy stands on six pillars.
One, data classification by sensitivity. Define at least three tiers (public, internal, restricted) and declare which tier may enter which type of LLM. Restricted data (identifiable personal data, core source code, trade secrets, non public financial info, named client data) does not enter free or Plus plans, ever.
Two, explicit prohibition of proprietary source code in LLMs without a corporate contract. For coding assistance, the org uses GitHub Copilot Business or Enterprise, Cursor Business, Claude Code on enterprise plan, or deployments on Azure OpenAI or Bedrock, with contractual no-training commitments.
Three, mandatory Team or Enterprise tier for sanctioned use. Corporate account, SSO, zero retention by default, DPA. Remove the incentive to use a personal account.
Four, informed consent and logging. The employee accepts usage terms when the account is activated. Administrators retain usage logs for audit and incident response.
Five, mandatory training. Minimum 30 minute module at onboarding, annual refresh, and targeted communication on product changes. Training covers data leakage, hallucinations, prompt injection and incident procedure. We recommend pairing it with social engineering training because the vectors interlock.
Six, reporting channel and exceptions. A clear path for an employee to ask whether they can use AI for a specific task without feeling they are wasting time. The policy should favor consultation, not punish it.
ChatGPT Team vs Enterprise vs Free
Comparative summary across the three plans, focused on security and compliance. Data based on OpenAI official pages and published terms as of June 2026, subject to change.
| Feature | Free / Plus | Team | Enterprise |
|---|---|---|---|
| Data retention | Standard (90 days) | Zero by default | Zero by default, configurable |
| Used for training | Manual opt-out | No by default | No, contractual |
| SSO (SAML, OIDC) | No | Limited | Yes |
| Audit logs | No | Basic | Yes, exportable |
| DPA available | No | Yes | Yes, extended |
| Processing region | Not guaranteed | Not guaranteed | Configurable (residency) |
| Dedicated support | No | Standard | Yes, manager |
| Indicative cost | Free / 20 USD user | 25 to 30 USD user | Negotiated |
The Free to Team jump is affordable and solves most of the problem for small and mid sized businesses. Enterprise is justified when there are residency requirements, full SSO integration, audit logs exportable to the SIEM, and meaningful volume.
Enterprise Ready Alternatives
Not everything is ChatGPT. The market offers several routes depending on the use case.
Azure OpenAI Service. OpenAI models (GPT-4o, GPT-4.1, o1, o3) running inside the customer's Azure tenant. Same capabilities, network control, Entra ID integration, Private Endpoint, data residency by region. Ideal for organizations on the Microsoft 365 stack with Azure EA commitments.
AWS Bedrock. Unified access to Anthropic Claude, Meta Llama, Cohere, Mistral, Amazon Nova and others. Native integration with IAM, KMS, CloudTrail, VPC endpoints. A solid option for AWS heavy organizations that want vendor diversity without managing infrastructure.
Google Cloud Vertex AI. Google Gemini and Anthropic Claude as managed services. Integration with BigQuery, Workspace, Vertex AI Agent Builder. A natural fit for Google Workspace organizations.
Anthropic Claude Enterprise. Direct product from Anthropic. Zero retention, SSO, DPA, strong traceability. Attractive for sensitive use cases in legal, healthcare or finance where Claude's reasoning quality is an advantage.
Simple selection rule: use the cloud you are already contracted with, unless a specific use case demands a particular model from another vendor.
AI Policy Rollout: 90 Day Roadmap
Executable plan that avoids both committee paralysis and "comprehensive framework" theater.
Weeks 1-2: discovery. Inventory of real usage. Anonymous staff survey, review of proxy and firewall logs (generative AI category), SaaS connector log review (Microsoft 365, Google Workspace), interviews with department leads. Output: list of AI tools in use, use cases, data involved.
Weeks 3-4: classification and matrix. Define data tiers and the matrix of which data can enter which tier of which vendor. Review existing contracts and default terms. Output: draft AI policy and data to LLM matrix.
Weeks 5-6: technical quick wins. Enable the generative AI category on proxy and firewall. Configure outbound DLP with minimal rules (PII, code, secrets). Roll out the warning extension across corporate browsers. Output: baseline outbound usage telemetry.
Weeks 7-8: contracts and SSO. Negotiate ChatGPT Team or Enterprise (or Claude Enterprise, Azure OpenAI, Bedrock per decision), sign DPA, integrate with the corporate IdP, enforce mandatory SSO. Output: active corporate accounts, personal accounts deincentivized.
Weeks 9-10: communication and training. Publish the AI policy, executive level communication, departmental training sessions, internal FAQ, query channel. Output: 100% of staff informed and trained.
Weeks 11-12: monitoring and tuning. Review DLP and SOC logs. Adjust rules (typical false positives: marketing emails, public documentation). First leadership review. Output: adoption report and exception backlog for the next 90 days.
At day 90 nothing is finished, but the organization has moved from zero governance to a solid base to iterate on.
Frequently Asked Questions
Is it legal to use ChatGPT in business inside the European Union?
Yes, with conditions. You need a lawful basis for the personal data processed (consent, documented legitimate interest, contractual performance), a signed DPA with the vendor (included in Team and Enterprise plans) and an internal acceptable use policy. The free plan without a DPA is not defensible if you process identifiable personal data.
Can OpenAI use my data to train its models?
On the free and Plus plans, by default it may use your conversations to improve the service unless you switch on the opt-out in settings. On Team and Enterprise, data is not used for training by default, and the contract reflects that. If the conversation is sensitive, the control should not depend on each employee's diligence, it should be resolved by the tier you contract.
What do I do about existing shadow AI?
Inventory first, regulate later. A ban announcement without an alternative pushes the problem under the rug. The sequence that works is: discovery through logs and anonymous survey, sanctioned alternative on offer (Team or Enterprise), clear communication, 30 to 60 day adoption window, and policy enforcement from there.
Block or govern?
Govern. Blocking ChatGPT at the corporate firewall is a coherent decision only if the company gives up the productivity gain, accepts migration to alternative tools, and accepts that employees will use it on the personal phone anyway. The winning option in most organizations is providing the corporate tier, training, and monitoring.
Does the AI Act ban ChatGPT in my company?
No, except for uses classified as prohibited (social scoring, subliminal manipulation, mass biometric identification in public spaces). Ordinary general assistance is a permitted use case. What the AI Act does require for high risk systems (automated decisions about people, critical infrastructure, hiring, credit scoring) is documentation, human oversight, logging and impact assessments.
How much does ChatGPT Enterprise cost?
OpenAI does not publish an Enterprise price, it is negotiated per organization. As public guidance from trade press across 2024-2025, the typical range sits in the tens of dollars per user per month, with volume and term commitments. Team is published and sits around 25 to 30 USD per user per month. For an organization under 150 users, Team usually solves it. Above that, Enterprise quickly pays back with SSO, audit logs and residency.
Related Resources
- What is prompt injection: LLM attacks
- What is DLP (Data Loss Prevention)
- ISO 27001 and NIS2 complementarity
- NIS2 audit step by step
- DORA compliance guide for financial entities 2026
- What is social engineering
- MITRE ATT&CK: tactics and techniques
AI Governance with Secra
At Secra we help security teams move from shadow AI to a defensible AI governance program. Three common deliverables in 4 to 8 weeks:
- Shadow AI audit. Real discovery of LLM usage in your organization through logs, surveys and interviews. Inventory and risk map by department.
- AI policy in 4 weeks. Drafting, legal review, alignment with NIS2, ISO 27001 and the AI Act, communication plan and training.
- Outbound DLP review. Diagnostic of your current controls (Netskope, Zscaler, Purview or others) against the LLM vector, prioritized recommendations and rollout plan.
If you want an initial conversation to size the scope in your case, reach out from the contact page. You will have a proposal in under 48 hours.
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.